Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Network-accessible WordPress plugin requiring only subscriber authentication (PR:L); deletion-only impact maps solely to availability (A:H), with no confidentiality or integrity effect.
Primary rating from Vendor (Patchstack).
CVSS VectorVendor: Patchstack
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
2DescriptionCVE.org
Subscriber Arbitrary Content Deletion in WPAMS < 49.5.3 versions.
AnalysisAI
Arbitrary content deletion in the WPAMS WordPress plugin (versions prior to 49.5.3) by Mojoomla allows any authenticated subscriber-level user to delete content they are not authorized to remove. Rooted in a missing authorization check (CWE-862), this flaw bypasses WordPress capability controls entirely for deletion operations. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires a subscriber-level WordPress account on the target site - confirmed by the CVSS PR:L metric. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 base score of 6.5 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) accurately reflects a moderate-to-high severity issue where the attack vector is network-based, complexity is low, and the required privilege is minimal (subscriber). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker registers a free subscriber account on a WordPress site running WPAMS prior to 49.5.3, then crafts an authenticated HTTP request targeting the plugin's content deletion endpoint - bypassing the absent authorization check. Without requiring any elevated privileges or administrator interaction, the attacker can systematically delete apartment listings, tenant records, or other managed content, causing significant availability and operational damage to the property management site. … |
| Remediation | Upgrade WPAMS to version 49.5.3 or later, which contains the vendor-released patch per Patchstack advisory and EUVD-2026-37468. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37468